74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76

General

Target

74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe
Size

120KB
MD5

006d3038c135e04efc24749d1f9e4e0f
SHA1

955b12400cf6dfbe15b07f058aaecdabfea0509e
SHA256

74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76
SHA512

e4499be96ecee0422fc76caee9ab62cf610b0b3f9c0df26e8785a02d457925ba1106d5550dadd48629bc134ec5cb07fa3d279f96ffd0748ae1e8656a27b2bc89
SSDEEP

3072:xGyqafpd1/l0izZF6yCenK2iGlefx8X1y:xGw1pzZF44K3AAKX1

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exenoise.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	noise.exe

Executes dropped EXE 1 IoCs

Processes:

noise.exe

pid process

1712 noise.exe

pid	process
1712	noise.exe

Loads dropped DLL 2 IoCs

Processes:

74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe

pid	process
1160	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe
1160	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

noise.exe74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /s"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /X"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /Z"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /U"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /H"	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /W"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /K"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /k"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /w"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /e"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /y"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /T"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /t"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /o"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /D"	noise.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /g"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /S"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /Q"	noise.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /B"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /l"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /Y"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /E"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /m"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /a"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /q"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /r"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /P"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /J"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /A"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /p"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /i"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /R"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /d"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /I"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /v"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /u"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /F"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /V"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /j"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /f"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /H"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /C"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /x"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /L"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /z"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /G"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /N"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /b"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /c"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /O"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /n"	noise.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\noise = "C:\\Users\\Admin\\noise.exe /h"	noise.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exenoise.exe

pid	process
1160	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe
1712	noise.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exenoise.exe

pid process

1160 74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe
1712 noise.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe

description	pid	process	target process
PID 1160 wrote to memory of 1712	1160	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe	noise.exe
PID 1160 wrote to memory of 1712	1160	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe	noise.exe
PID 1160 wrote to memory of 1712	1160	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe	noise.exe
PID 1160 wrote to memory of 1712	1160	74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe	noise.exe

C:\Users\Admin\AppData\Local\Temp\74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe
"C:\Users\Admin\AppData\Local\Temp\74fcc04493fb7ad4df3e967265b0bd4fcaa10a8f2f8f3b9dce106487003f7d76.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\noise.exe
"C:\Users\Admin\noise.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\noise.exe

Filesize
120KB

MD5
a1cecb0570bce629aa9567e771f44681

SHA1
7b082750ad1473591bfc12bf1c8a46bb441a8871

SHA256
7ebfc3d94ffb4845f71b2ac3b477c1cbc1c13fde1b5cb9e453c9f48b85296a89

SHA512
d11bccb363d5989c398ca63b66cc191936968cbefb36230ca80a7cf4b380eee8cb4f5e6cc184b12d1175f1a27b6501d8ab5d185f10f45bc51d5f8ab6883c69b4

Download Submit
C:\Users\Admin\noise.exe

Filesize
120KB

MD5
a1cecb0570bce629aa9567e771f44681

SHA1
7b082750ad1473591bfc12bf1c8a46bb441a8871

SHA256
7ebfc3d94ffb4845f71b2ac3b477c1cbc1c13fde1b5cb9e453c9f48b85296a89

SHA512
d11bccb363d5989c398ca63b66cc191936968cbefb36230ca80a7cf4b380eee8cb4f5e6cc184b12d1175f1a27b6501d8ab5d185f10f45bc51d5f8ab6883c69b4

Download Submit
\Users\Admin\noise.exe

Filesize
120KB

MD5
a1cecb0570bce629aa9567e771f44681

SHA1
7b082750ad1473591bfc12bf1c8a46bb441a8871

SHA256
7ebfc3d94ffb4845f71b2ac3b477c1cbc1c13fde1b5cb9e453c9f48b85296a89

SHA512
d11bccb363d5989c398ca63b66cc191936968cbefb36230ca80a7cf4b380eee8cb4f5e6cc184b12d1175f1a27b6501d8ab5d185f10f45bc51d5f8ab6883c69b4

Download Submit
\Users\Admin\noise.exe

Filesize
120KB

MD5
a1cecb0570bce629aa9567e771f44681

SHA1
7b082750ad1473591bfc12bf1c8a46bb441a8871

SHA256
7ebfc3d94ffb4845f71b2ac3b477c1cbc1c13fde1b5cb9e453c9f48b85296a89

SHA512
d11bccb363d5989c398ca63b66cc191936968cbefb36230ca80a7cf4b380eee8cb4f5e6cc184b12d1175f1a27b6501d8ab5d185f10f45bc51d5f8ab6883c69b4

Download Submit
memory/1160-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1712-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads